Frequently Asked Questions

General

ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has several parts: PRE-ATT&CK, which focuses left of delivery and exploit, ATT&CK for Enterprise, which covers initial access/exploit and beyond, and ATT&CK for Mobile, which focuses on mobile devices.
For more information about the different ATT&CK domains visit:
MITRE started ATT&CK in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks. It was created out of a need to document adversary behaviors for use within a MITRE research project called FMX. The objective of FMX was to investigate use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks. ATT&CK was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.
Tactics represent the “why” of an ATT&CK technique. It is the adversary’s tactical objective: the reason for performing an action.
Techniques represent “how” an adversary achieves a tactical objective by performing an action. For example, and adversary may dump credentials to achieve credential access.
Procedures are the exact ways a particular adversary or piece of software implements a technique. These are described by the examples sections in ATT&CK techniques.
Enterprise IT systems covering Windows, macOS, and Linux; mobile devices using Android and iOS.
ATT&CK can be used in several ways to help security operations, threat intelligence, and security architecture. See page 3 of The Design and Philosophy of ATT&CK whitepaper for more details on the various use cases for ATT&CK. Also check out the Resources section of the website and the blog for related projects and other resources.

Content

Quarterly.
Publicly available threat intelligence and incident reporting is the main source of data in ATT&CK. We take what's available in the public and distill out common TTPs. We also use publicly available research on new techniques that closely align with what adversaries commonly do since new TTPs often get used in the wild quickly. For more information see The Design and Philosophy of ATT&CK

Check out our contribute page!

Please contact us before spending a lot of time writing up a new technique/group/software since we always have things in the works and don’t want you to duplicate efforts. For any contributions we add, we’ll run the final product by you and credit you as a contributor. In particular, we’re looking for Mac/Linux contributions.

We try to include most threat reporting but can only get to so much. If you feel information is missing, then help us by contributing to ATT&CK. Reach out to see if we’re already working on the group and review our contribute page for guidance and formatting for group and software submissions.

Resources

Yes! Check out this page: Interfaces for Working with ATT&CK

Staying Informed

Follow @MITREattack on Twitter for news and check out our blog for posts about topics related to ATT&CK.

Legal